Security Challenges with IoT in Hospitality

According to research by IOTForAll, hospitality is successfully using IoT to make radical leaps forward in guest satisfaction, employee productivity, and environmental sustainability while decreasing unnecessary costs and labor.

For example, “A smart energy management system knows when a guest room is unoccupied and can automatically adjust the temperature to reduce energy consumption by as much as 20-45 percent,” according to Telkonet. Those utility savings translate into significant margin growth and definite gains in environmental sustainability.

IoT Use in Hospitality

Guest-room Automation: Guest-room automation provides a way for hotels to stand out from the competition by making guests feel comfortable, accommodated, and on the cutting edge of modernity. For example, Starwood Hotels & Resorts utilized a technique called “daylight harvesting” to save energy and increase indoor lighting consistency by automatically adjusting the LED lighting based on the natural light detected coming into the room.

Predictive Maintenance: Predictive maintenance takes preventive maintenance one-step further by using sensor data to recognize hazardous trends and alert the appropriate maintenance engineer before the issue escalates. For example, if you’re tracking 16 meters manually with a labor cost of $16/hour, checking the meters once per day will cost you $3,840 annually. Now imagine checking the meters once per hour, per minute, and once per second. It becomes impossible to manually check your meters that often without IoT. Predictive maintenance empowers you to make highly accurate guesses about where what to repair when. It focuses human attention where and when it’s most needed.

Mobile Engagement: Guests can use their phone as the key to their room or for submitting requests to the front desk. Mobile engagement is also a back of the house tool through the use of an EAM CMMS application. Engineers can access work requests or work orders that need to be performed on the property to increase guest satisfaction by eliminating the need for a paper request that could go left unnoticed.

Hyper-Personalization: Personal data can be used to provide a personal touch to hotel guests and make their stay special. For example, an IoT platform could over time memorize a guest’s specific comfort preferences and automatically set up the room for their next stays, such as temperature, lighting, and TV channels.

APIs and Third-Party Integration: As the IoT market matures, vendors are likely to consolidate, creating a smaller amount of vendors with more cohesive system offerings. Until then, integration will provide work for many, and APIs combined with standard data communication protocols will be the lifeblood of an integrated IoT system.

Lurking in the Shadows

The dark side of this explosive IoT growth is the concomitant increase in cybersecurity risk. Each device incorporated into a hotel’s digital infrastructure opens an additional vector for exploitation by hackers. The most recent headline-grabbing example: a hacker accessed the high-roller database of a major Las Vegas casino through a smart thermometer in the lobby fish tank.

The attackers used the thermostat to get a foothold in the network. Then, they pivoted across a segmented network to access the crown jewels: the high-roller database.

This attack is demonstrative of the significant level of risk posed by IoT devices in hospitality today. In this case, the hacker was able to penetrate a network, pivot, and exfiltrate confidential data without touching many traditional endpoints. That means that your existing endpoint monitoring, intrusion detection systems, and log aggregators would likely have never seen this activity – no matter how sophisticated they are.

It is also important to note that in these types of attacks, hackers often have the opportunity to do even greater harm. There could be power distribution units on the network susceptible to N-day vulnerabilities that would have enabled a sophisticated attacker to power down parts of the casino’s network. Security cameras could have been accessible and used for physical surveillance. System backups on a NAS could be destroyed or ransomed. All of these attacks are possible today.

Where to go from Here

The reason these attacks work well and go undetected for so long is because today’s enterprise security stack simply was not designed to handle myriad unmanaged, single-purpose, black-box devices. The entire industry has been designed to protect powerful, transparent, multi-function endpoints that can be monitored and inspected. Traditional endpoints have their own challenges (like humans running arbitrary software on them), so it is not a matter of one type of security being easier than the other. It is simply that IoT security is different than traditional IT security. IoT endpoints have very different behaviors and security characteristics, and thus, a new solution is needed.

Today’s security stack is fundamentally broken when it comes to IoT. Most organizations cannot even identify the devices on their networks – let alone detect and respond to attacks. Finite State is offering our partners a new security stack that is designed from the ground up to fill gaps created by black box IoT devices. Our team, including some of the best IoT hackers in the world, has compiled the largest data set of IoT risk and attack data available, and we are making that available to you in our suite of products. Stakeholders across hospitality enterprises cannot depend on manufacturers alone to provide security for your IoT deployments. The hospitality industry needs IoT security today.